From bc43981ccfddbf52bb24ee56011a655d4c41dfaf Mon Sep 17 00:00:00 2001
From: Zev Benjamin <zev@zulip.com>
Date: Mon, 25 Nov 2013 11:50:11 -0500
Subject: [PATCH] socket: Explain why we disable some transports

(imported from commit 670d2f558a11a6f4fcce3f2e107582c4425b9285)
---
 zerver/lib/socket.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/zerver/lib/socket.py b/zerver/lib/socket.py
index a4ab3d99a9..0b8fe3a56e 100644
--- a/zerver/lib/socket.py
+++ b/zerver/lib/socket.py
@@ -254,6 +254,9 @@ def respond_send_message(data):
                        remote_ip=connection.session.conn_info.ip,
                        email=connection.session.user_profile.email, client_name='?')
 
+# We disable the eventsource and htmlfile transports because they cannot
+# securely send us the zulip.com cookie, which we use as part of our
+# authentication scheme.
 sockjs_router = sockjs.tornado.SockJSRouter(SocketConnection, "/sockjs",
                                             {'sockjs_url': 'https://%s/static/third/sockjs/sockjs-0.3.4.js' % (settings.EXTERNAL_HOST,),
                                              'disabled_transports': ['eventsource', 'htmlfile']})